Yahoo Says Second Hack Affected More Than 1 Billion Accounts

(Bloomberg) -- Yahoo! Inc. disclosed a second major security breach that may have affected more than 1 billion user accounts, another blow to the company’s reputation as it nears the sale of its main web businesses to Verizon Communications Inc.

The company said in a statement Wednesday that it hasn’t been able to identify the “intrusion” associated with this theft by a third party in August 2013. The event was unearthed by forensic experts after law enforcement investigators warned the company about a potential breach. Yahoo has said it has about 1 billion users.

Yahoo said it believes the incident “is likely distinct” from the hack the company disclosed in September. The shares dropped as much as 2.7 percent in extended trading after the announcement.

In September, Yahoo said the personal information of at least 500 million accounts was stolen in a 2014 attack on its accounts, exposing data from a wide swath of its users ahead of the Verizon deal. The attacker was a “state-sponsored actor,” and stolen information may have included names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, unencrypted security questions and answers, Yahoo has said.

“This is more of the same bad news for every Yahoo user,” Paul Martini, chief executive officer of San Diego-based Iboss Cybersecurity, said in a statement. “What’s really shocking about this latest breach is that everyone with a Yahoo account has now likely had their personal information stolen two or three times.”

Continuing Challenges

For CEO Marissa Mayer, the new hacks could weaken Yahoo’s reputation with users who have been using its services for years and further tarnish its credibility ahead of the Verizon deal. The lack of progress on the earlier breach, and the limited information provided to Verizon, caused misgivings inside the telecommunications company about the deal, people familiar with the matter told Bloomberg in October. Yahoo said last month the $4.8 billion sale of its web portal still is expected to close in the first quarter of next year.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” Verizon said Wednesday in an e-mailed statement. “We will review the impact of this new development before reaching any final conclusions.”

If the investigation shows significant harm to the business and Yahoo customers, Verizon would consider options like reducing the deal price or walking away, a person familiar with the matter said Wednesday. The acquisition still makes strategic sense for Verizon, said another person familiar with the company’s discussions.

“Strategically, common wisdom is that the parts of the company that Verizon is most interested in are not necessarily that tied to stuff like user accounts and e-mail -- it’s the media properties,” said Jeff Vogel, managing director at investment banking firm Bulger Partners. “If the liabilities of the rest of the company are more significant -- because of lawsuits and damages and reputational damage -- than we had thought, that could impact the deal financially.”

Alerting Users

In the 2013 hack disclosed Wednesday, Yahoo said compromised user account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The company said it was notifying potentially affected users and had taken steps to secure their accounts.

In November, Yahoo gave an update to investors on its internal review of the hack, saying an independent board committee is investigating how many employees at Yahoo knew about the breach. Yahoo also previously disclosed an investigation into the creation of forged cookies that could allow an intruder to access users’ accounts without a password. As of now, the company believes an unauthorized party accessed the “code to learn how to forge cookies.”

“Experts have identified user accounts for which they believe forged cookies were taken or used,” the company said. “Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”